- Allow glusterd to interact with gluster tools running in a user domain
- rpm_transition_script() is called from rpm_run. Update cloud-init rules. - Call rpm_transition_script() from rpm_run() interface. - Allow radvd has setuid and it requires dac_override. BZ(1224403) - Add glusterd_manage_lib_files() interface. - Allow samba_t net_admin capability to make CIFS mount working. - S30samba-start gluster hooks wants to search audit logs. Dontaudit it. - Reflect logrotate change which moves /var/lib/logrotate.status to /var/lib/logrotate/logrotate.status. BZ(1228531) - ntop reads /var/lib/ntop/macPrefix.db and it needs dac_override. It has setuid/setgid. BZ(1058822) - Allow cloud-init to run rpm scriptlets to install packages. BZ(1227484) - Allow nagios to generate charts. - Allow glusterd to send generic signals to systemd_passwd_agent processes. - Allow glusterd to run init scripts. - Allow glusterd to execute /usr/sbin/xfs_dbin glusterd_t domain. - Calling cron_system_entry() in pcp_domain_template needs to be a part of optional_policy block. - Allow samba-net to access /var/lib/ctdbd dirs/files. - Allow glusterd to send a signal to smbd. - Make ctdbd as home manager to access also FUSE. - Allow glusterd to use geo-replication gluster tool. - Allow glusterd to execute ssh-keygen. - Allow glusterd to interact with cluster services. - Add rhcs_dbus_chat_cluster() - systemd-logind accesses /dev/shm. BZ(1230443) - Label gluster python hooks also as bin_t. - Allow sshd to execute gnome-keyring if there is configured pam_gnome_keyring.so. - Allow gnome-keyring executed by passwd to access /run/user/UID/keyring to change a password.
This commit is contained in:
parent
8f46225b71
commit
66628cef58
@ -2744,7 +2744,7 @@ index 99e3903..fa68362 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
|
||||
index 1d732f1..0dbda7d 100644
|
||||
index 1d732f1..6a6da75 100644
|
||||
--- a/policy/modules/admin/usermanage.te
|
||||
+++ b/policy/modules/admin/usermanage.te
|
||||
@@ -26,6 +26,7 @@ type chfn_exec_t;
|
||||
@ -2973,13 +2973,16 @@ index 1d732f1..0dbda7d 100644
|
||||
userdom_use_unpriv_users_fds(passwd_t)
|
||||
# make sure that getcon succeeds
|
||||
userdom_getattr_all_users(passwd_t)
|
||||
@@ -352,6 +383,15 @@ userdom_read_user_tmp_files(passwd_t)
|
||||
@@ -352,6 +383,18 @@ userdom_read_user_tmp_files(passwd_t)
|
||||
# user generally runs this from their home directory, so do not audit a search
|
||||
# on user home dir
|
||||
userdom_dontaudit_search_user_home_content(passwd_t)
|
||||
+userdom_stream_connect(passwd_t)
|
||||
+userdom_rw_stream(passwd_t)
|
||||
+
|
||||
+# needed by gnome-keyring
|
||||
+userdom_manage_user_tmp_files(passwd_t)
|
||||
+
|
||||
+optional_policy(`
|
||||
+ gnome_exec_keyringd(passwd_t)
|
||||
+ gnome_manage_cache_home_dir(passwd_t)
|
||||
@ -2989,7 +2992,7 @@ index 1d732f1..0dbda7d 100644
|
||||
|
||||
optional_policy(`
|
||||
nscd_run(passwd_t, passwd_roles)
|
||||
@@ -401,9 +441,10 @@ dev_read_urand(sysadm_passwd_t)
|
||||
@@ -401,9 +444,10 @@ dev_read_urand(sysadm_passwd_t)
|
||||
fs_getattr_xattr_fs(sysadm_passwd_t)
|
||||
fs_search_auto_mountpoints(sysadm_passwd_t)
|
||||
|
||||
@ -3002,7 +3005,7 @@ index 1d732f1..0dbda7d 100644
|
||||
auth_manage_shadow(sysadm_passwd_t)
|
||||
auth_relabel_shadow(sysadm_passwd_t)
|
||||
auth_etc_filetrans_shadow(sysadm_passwd_t)
|
||||
@@ -416,7 +457,6 @@ files_read_usr_files(sysadm_passwd_t)
|
||||
@@ -416,7 +460,6 @@ files_read_usr_files(sysadm_passwd_t)
|
||||
|
||||
domain_use_interactive_fds(sysadm_passwd_t)
|
||||
|
||||
@ -3010,7 +3013,7 @@ index 1d732f1..0dbda7d 100644
|
||||
files_relabel_etc_files(sysadm_passwd_t)
|
||||
files_read_etc_runtime_files(sysadm_passwd_t)
|
||||
# for nscd lookups
|
||||
@@ -426,12 +466,9 @@ files_dontaudit_search_pids(sysadm_passwd_t)
|
||||
@@ -426,12 +469,9 @@ files_dontaudit_search_pids(sysadm_passwd_t)
|
||||
# correctly without it. Do not audit write denials to utmp.
|
||||
init_dontaudit_rw_utmp(sysadm_passwd_t)
|
||||
|
||||
@ -3023,7 +3026,7 @@ index 1d732f1..0dbda7d 100644
|
||||
userdom_use_unpriv_users_fds(sysadm_passwd_t)
|
||||
# user generally runs this from their home directory, so do not audit a search
|
||||
# on user home dir
|
||||
@@ -446,7 +483,8 @@ optional_policy(`
|
||||
@@ -446,7 +486,8 @@ optional_policy(`
|
||||
# Useradd local policy
|
||||
#
|
||||
|
||||
@ -3033,7 +3036,7 @@ index 1d732f1..0dbda7d 100644
|
||||
dontaudit useradd_t self:capability sys_tty_config;
|
||||
allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||
allow useradd_t self:process setfscreate;
|
||||
@@ -461,6 +499,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms;
|
||||
@@ -461,6 +502,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow useradd_t self:unix_dgram_socket sendto;
|
||||
allow useradd_t self:unix_stream_socket connectto;
|
||||
|
||||
@ -3044,7 +3047,7 @@ index 1d732f1..0dbda7d 100644
|
||||
# for getting the number of groups
|
||||
kernel_read_kernel_sysctls(useradd_t)
|
||||
|
||||
@@ -468,29 +510,28 @@ corecmd_exec_shell(useradd_t)
|
||||
@@ -468,29 +513,28 @@ corecmd_exec_shell(useradd_t)
|
||||
# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
|
||||
corecmd_exec_bin(useradd_t)
|
||||
|
||||
@ -3084,7 +3087,7 @@ index 1d732f1..0dbda7d 100644
|
||||
|
||||
auth_run_chk_passwd(useradd_t, useradd_roles)
|
||||
auth_rw_lastlog(useradd_t)
|
||||
@@ -498,6 +539,7 @@ auth_rw_faillog(useradd_t)
|
||||
@@ -498,6 +542,7 @@ auth_rw_faillog(useradd_t)
|
||||
auth_use_nsswitch(useradd_t)
|
||||
# these may be unnecessary due to the above
|
||||
# domtrans_chk_passwd() call.
|
||||
@ -3092,7 +3095,7 @@ index 1d732f1..0dbda7d 100644
|
||||
auth_manage_shadow(useradd_t)
|
||||
auth_relabel_shadow(useradd_t)
|
||||
auth_etc_filetrans_shadow(useradd_t)
|
||||
@@ -508,33 +550,32 @@ init_rw_utmp(useradd_t)
|
||||
@@ -508,33 +553,32 @@ init_rw_utmp(useradd_t)
|
||||
logging_send_audit_msgs(useradd_t)
|
||||
logging_send_syslog_msg(useradd_t)
|
||||
|
||||
@ -3137,7 +3140,7 @@ index 1d732f1..0dbda7d 100644
|
||||
optional_policy(`
|
||||
apache_manage_all_user_content(useradd_t)
|
||||
')
|
||||
@@ -549,10 +590,19 @@ optional_policy(`
|
||||
@@ -549,10 +593,19 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -3157,7 +3160,7 @@ index 1d732f1..0dbda7d 100644
|
||||
tunable_policy(`samba_domain_controller',`
|
||||
samba_append_log(useradd_t)
|
||||
')
|
||||
@@ -562,3 +612,12 @@ optional_policy(`
|
||||
@@ -562,3 +615,12 @@ optional_policy(`
|
||||
rpm_use_fds(useradd_t)
|
||||
rpm_rw_pipes(useradd_t)
|
||||
')
|
||||
@ -3343,7 +3346,7 @@ index 7590165..d81185e 100644
|
||||
+ fs_mounton_fusefs(seunshare_domain)
|
||||
')
|
||||
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
|
||||
index 33e0f8d..c5c1122 100644
|
||||
index 33e0f8d..d41bb39 100644
|
||||
--- a/policy/modules/kernel/corecommands.fc
|
||||
+++ b/policy/modules/kernel/corecommands.fc
|
||||
@@ -1,9 +1,10 @@
|
||||
@ -3683,7 +3686,7 @@ index 33e0f8d..c5c1122 100644
|
||||
/usr/share/system-config-selinux/polgen\.py -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/system-config-selinux/system-config-selinux\.py -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/system-config-display/system-config-display -- gen_context(system_u:object_r:bin_t,s0)
|
||||
@@ -387,17 +469,33 @@ ifdef(`distro_suse', `
|
||||
@@ -387,17 +469,34 @@ ifdef(`distro_suse', `
|
||||
#
|
||||
# /var
|
||||
#
|
||||
@ -3705,6 +3708,7 @@ index 33e0f8d..c5c1122 100644
|
||||
/var/qmail/rc -- gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
+/var/lib/glusterd/hooks/.*/.*\.sh -- gen_context(system_u:object_r:bin_t,s0)
|
||||
+/var/lib/glusterd/hooks/.*/.*\.py -- gen_context(system_u:object_r:bin_t,s0)
|
||||
+
|
||||
ifdef(`distro_suse',`
|
||||
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
|
||||
@ -23857,7 +23861,7 @@ index fe0c682..3ad1b1f 100644
|
||||
+ ps_process_pattern($1, sshd_t)
|
||||
+')
|
||||
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
|
||||
index cc877c7..66bf790 100644
|
||||
index cc877c7..b8e6e98 100644
|
||||
--- a/policy/modules/services/ssh.te
|
||||
+++ b/policy/modules/services/ssh.te
|
||||
@@ -6,43 +6,69 @@ policy_module(ssh, 2.4.2)
|
||||
@ -24193,7 +24197,7 @@ index cc877c7..66bf790 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -266,6 +327,15 @@ optional_policy(`
|
||||
@@ -266,6 +327,19 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -24205,11 +24209,15 @@ index cc877c7..66bf790 100644
|
||||
+ gitosis_manage_lib_files(sshd_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ gnome_exec_keyringd(sshd_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
inetd_tcp_service_domain(sshd_t, sshd_exec_t)
|
||||
')
|
||||
|
||||
@@ -275,10 +345,26 @@ optional_policy(`
|
||||
@@ -275,10 +349,26 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -24236,7 +24244,7 @@ index cc877c7..66bf790 100644
|
||||
rpm_use_script_fds(sshd_t)
|
||||
')
|
||||
|
||||
@@ -289,13 +375,93 @@ optional_policy(`
|
||||
@@ -289,13 +379,93 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -24330,7 +24338,7 @@ index cc877c7..66bf790 100644
|
||||
########################################
|
||||
#
|
||||
# ssh_keygen local policy
|
||||
@@ -304,19 +470,33 @@ optional_policy(`
|
||||
@@ -304,19 +474,33 @@ optional_policy(`
|
||||
# ssh_keygen_t is the type of the ssh-keygen program when run at install time
|
||||
# and by sysadm_t
|
||||
|
||||
@ -24365,7 +24373,7 @@ index cc877c7..66bf790 100644
|
||||
dev_read_urand(ssh_keygen_t)
|
||||
|
||||
term_dontaudit_use_console(ssh_keygen_t)
|
||||
@@ -332,7 +512,9 @@ auth_use_nsswitch(ssh_keygen_t)
|
||||
@@ -332,7 +516,9 @@ auth_use_nsswitch(ssh_keygen_t)
|
||||
|
||||
logging_send_syslog_msg(ssh_keygen_t)
|
||||
|
||||
@ -24375,7 +24383,7 @@ index cc877c7..66bf790 100644
|
||||
|
||||
optional_policy(`
|
||||
seutil_sigchld_newrole(ssh_keygen_t)
|
||||
@@ -341,3 +523,148 @@ optional_policy(`
|
||||
@@ -341,3 +527,148 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
udev_read_db(ssh_keygen_t)
|
||||
')
|
||||
@ -42591,10 +42599,10 @@ index 0000000..d2a8fc7
|
||||
+')
|
||||
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
|
||||
new file mode 100644
|
||||
index 0000000..3c4ffa35
|
||||
index 0000000..0401ad8
|
||||
--- /dev/null
|
||||
+++ b/policy/modules/system/systemd.te
|
||||
@@ -0,0 +1,720 @@
|
||||
@@ -0,0 +1,721 @@
|
||||
+policy_module(systemd, 1.0.0)
|
||||
+
|
||||
+#######################################
|
||||
@ -42768,6 +42776,7 @@ index 0000000..3c4ffa35
|
||||
+init_halt(systemd_logind_t)
|
||||
+init_undefined(systemd_logind_t)
|
||||
+init_signal_script(systemd_logind_t)
|
||||
+init_getattr_script_status_files(systemd_logind_t)
|
||||
+
|
||||
+getty_systemctl(systemd_logind_t)
|
||||
+
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -19,7 +19,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.13.1
|
||||
Release: 129%{?dist}
|
||||
Release: 130%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -602,6 +602,34 @@ SELinux Reference policy mls base module.
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Thu Jun 18 2015 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-130
|
||||
- Allow glusterd to interact with gluster tools running in a user domain
|
||||
- rpm_transition_script() is called from rpm_run. Update cloud-init rules.
|
||||
- Call rpm_transition_script() from rpm_run() interface.
|
||||
- Allow radvd has setuid and it requires dac_override. BZ(1224403)
|
||||
- Add glusterd_manage_lib_files() interface.
|
||||
- Allow samba_t net_admin capability to make CIFS mount working.
|
||||
- S30samba-start gluster hooks wants to search audit logs. Dontaudit it.
|
||||
- Reflect logrotate change which moves /var/lib/logrotate.status to /var/lib/logrotate/logrotate.status. BZ(1228531)
|
||||
- ntop reads /var/lib/ntop/macPrefix.db and it needs dac_override. It has setuid/setgid. BZ(1058822)
|
||||
- Allow cloud-init to run rpm scriptlets to install packages. BZ(1227484)
|
||||
- Allow nagios to generate charts.
|
||||
- Allow glusterd to send generic signals to systemd_passwd_agent processes.
|
||||
- Allow glusterd to run init scripts.
|
||||
- Allow glusterd to execute /usr/sbin/xfs_dbin glusterd_t domain.
|
||||
- Calling cron_system_entry() in pcp_domain_template needs to be a part of optional_policy block.
|
||||
- Allow samba-net to access /var/lib/ctdbd dirs/files.
|
||||
- Allow glusterd to send a signal to smbd.
|
||||
- Make ctdbd as home manager to access also FUSE.
|
||||
- Allow glusterd to use geo-replication gluster tool.
|
||||
- Allow glusterd to execute ssh-keygen.
|
||||
- Allow glusterd to interact with cluster services.
|
||||
- Add rhcs_dbus_chat_cluster()
|
||||
- systemd-logind accesses /dev/shm. BZ(1230443)
|
||||
- Label gluster python hooks also as bin_t.
|
||||
- Allow sshd to execute gnome-keyring if there is configured pam_gnome_keyring.so.
|
||||
- Allow gnome-keyring executed by passwd to access /run/user/UID/keyring to change a password.
|
||||
|
||||
* Tue Jun 09 2015 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-129
|
||||
- We need to restore contexts on /etc/passwd*,/etc/group*,/etc/*shadow* during install phase to get proper labeling for these files until selinux-policy pkgs are installed. BZ(1228489)
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user